We are in the process of designing our Bug Bounty Program. In the meantime, if you believe you have discovered a bug or vulnerability in our code, please report it to firstname.lastname@example.org.
We'll review the issue, and a member of our dev team will get back to you ASAP. If your bug has merit, we'll work with you to fix it, and award a bounty based on the severity of the bug. We determine severity using the CVSS model.
Once the fix is complete, we'll publish a full retrospective in the interests of transparency. If the bug leaks prior to the retrospective being published, the bounty is void.
We look forward to working with you.